Some of the most popular open source cryptography libraries are footgun-filled horror shows. According to GitHub, aes-js has over 700k direct and indirect dependents, and its CTR implementation “helpfully” supplies a fixed, default counter. Its sister library, pyaes, makes the same design decision and gives examples that rely on this behavior in the documentation. elliptic.js has serious bugs that went unaddressed for the better part of a decade. libgcrypt, which underpins GnuPG, provides single-DES, RC4, MD4, and other insecure primitives available to developers, despite not being supported in the OpenPGP standard.

These footguns lead to real-world failures: Trail of Bits has identified multiple applications, including cryptocurrency wallets, a password manager, and a VPN management suite, that have relied on the aes-js/pyaes default IV, severely compromising wallets, certificates, passwords, and passphrases. elliptic.js led to real-world signature failures.

Why the hell is this situation allowed to continue? Failing to speak openly and loudly about these popular libraries is cryptographic malpractice, and we have to do more to protect developers. Better APIs can only go so far: it’s time for us to start naming names and warning against bad actors.

NOTE: At some points this video blanks briefly to a white screen to obscure attendees with red lanyards who did not consent to being recorded.

plus-circle Add Review

comment

Reviews